논문 상세보기
An Analysis of Canadian Revised Cybersecurity Regulatory Guide for SMRs
Recently, more than 70 SMRs have been developed around the world due to their modularity, flexibility, and miniaturization. An innovative SMR (i-SMR) is also being developed in Korea, and operators are planning to apply for a Standard Design Approval (SDA) in 2026 after completing the standard design. Accordingly, regulatory organizations are conducting R&D on regulatory requirements and guidelines for systematic SMR standard design review by referring to IAEA and NRC cases. In terms of security, SMRs are expected to undergo many changes not only in terms of physical security through security systems, security areas, and vital equipments, but also in terms of cybersecurity through new digital technologies, remote monitoring, and automated operation. Accordingly, the IAEA Fundamental Safety Principles (SF-1) require operators to improve the safety of nuclear facilities by considering security requirements, access control requirements, and the results of operational impact assessments based on threats from the design and construction stages. Similarly, the U.S. nuclear regulatory body (NRC) has confirmed the status of security assessment and design considering design basis threats (DBTs) in the NuScale standard design review process, and the Canadian nuclear regulatory body (CNSC) has revised security regulatory guidelines and applied them to the SMR standard design review. Among these various activities related to SMR security, this paper analyzes the major changes in the cybersecurity regulatory guidelines for SMRs recently revised by the CNSC, the Canadian nuclear regulatory body. Compared to the previous guidelines, the Defensive Cybersecurity Architecture (DCSA), including external logical access control, security level and zone communication requirements, verification and validation (V&V) activities during development phases, and system & service acquisition security requirements have been added. Other changes, such as the cyber incident response program, will be analyzed and compared. Through the revised regulatory guidelines, the CNSC has divided cybersecurity levels into four (High, Moderate, Low, and Business), strictly prohibiting remote access to High and Moderate levels, and allowing remote access to Low levels only for maintenance purposes. In addition, the paper will analyze the detailed revisions, such as prohibiting access to the High level from lower levels and allowing only handshaking signals from the Low level to the Moderate level.
